# frozen_string_literal: true

require 'spec_helper'

RSpec.describe 'User with read_vulnerability custom role', feature_category: :system_access do
  let_it_be(:user) { create(:user) }
  let_it_be(:project) { create(:project, :repository, :in_group) }
  let_it_be(:vulnerability) { create(:vulnerability, :with_finding, project: project) }

  before do
    stub_licensed_features(custom_roles: true, security_dashboard: true)

    group_member = create(:group_member, :guest, user: user, source: project.group)
    create(
      :member_role,
      :guest,
      admin_vulnerability: false,
      read_code: false,
      read_vulnerability: true,
      members: [group_member],
      namespace: project.group
    )
    sign_in(user)
  end

  describe Groups::Security::DashboardController do
    describe "#show" do
      it 'user has access via a custom role' do
        get group_security_dashboard_path(project.group)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to render_template(:show)
      end
    end
  end

  describe Groups::Security::VulnerabilitiesController do
    describe "#index" do
      it 'user has access via a custom role' do
        get group_security_vulnerabilities_path(project.group)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to render_template(:index)
      end
    end
  end

  describe Projects::Security::DashboardController do
    describe "#index" do
      it 'user has access via a custom role' do
        get project_security_dashboard_index_path(project)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to render_template(:index)
      end
    end
  end

  describe Projects::Security::VulnerabilityReportController do
    describe "#index" do
      it 'user has access via a custom role' do
        get project_security_vulnerability_report_index_path(project)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to render_template(:index)
      end
    end
  end

  describe Projects::Security::VulnerabilitiesController do
    describe "#show" do
      it 'user has access via a custom role' do
        get project_security_vulnerability_path(project, vulnerability)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response.body).to have_text(vulnerability.title)
      end
    end

    describe "#discussions" do
      it 'user has access via a custom role' do
        get discussions_project_security_vulnerability_path(project, vulnerability)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to match_response_schema('entities/discussions')
      end
    end
  end
end
